2022-03-10 16:57:54 +00:00
|
|
|
.. role:: since
|
|
|
|
|
|
|
|
====================================
|
|
|
|
Storage volume encryption XML format
|
|
|
|
====================================
|
|
|
|
|
|
|
|
.. contents::
|
|
|
|
|
|
|
|
Storage volume encryption XML
|
|
|
|
-----------------------------
|
|
|
|
|
|
|
|
Storage volumes may be encrypted, the XML snippet described below is used to
|
|
|
|
represent the details of the encryption. It can be used as a part of a domain or
|
|
|
|
storage configuration.
|
|
|
|
|
|
|
|
The top-level tag of volume encryption specification is ``encryption``, with a
|
|
|
|
mandatory attribute ``format``. Currently defined values of ``format`` are
|
|
|
|
``default``, ``qcow``, ``luks``, and ``luks2``. Each value of ``format`` implies
|
|
|
|
some expectations about the content of the ``encryption`` tag. Other format
|
|
|
|
values may be defined in the future.
|
|
|
|
|
|
|
|
The ``encryption`` tag supports an optional ``engine`` tag, which allows
|
|
|
|
selecting which component actually handles the encryption. Currently defined
|
|
|
|
values of ``engine`` are ``qemu`` and ``librbd``. Both ``qemu`` and ``librbd``
|
|
|
|
require using the qemu driver. The ``librbd`` engine requires qemu version >=
|
|
|
|
6.1.0, both ceph cluster and librbd1 >= 16.1.0, and is only applicable for RBD
|
|
|
|
network disks. If the engine tag is not specified, the ``qemu`` engine will be
|
|
|
|
used by default (assuming the qemu driver is used). Note that ``librbd`` engine
|
|
|
|
is currently only supported by the qemu VM driver, and is not supported by the
|
|
|
|
storage driver. Furthermore, the storage driver currently ignores the ``engine``
|
2023-03-13 09:50:21 +00:00
|
|
|
tag. :since:`since 9.3.0` RBD layered encryption is supported. Layered
|
|
|
|
encryption requires a secret per each encrypted layer. The first secret
|
|
|
|
corresponds to the (child) image itself, the second secret to the parent image,
|
|
|
|
and so forth.
|
2022-03-10 16:57:54 +00:00
|
|
|
|
|
|
|
The ``encryption`` tag can currently contain a sequence of ``secret`` tags, each
|
|
|
|
with mandatory attributes ``type`` and either ``uuid`` or ``usage`` (
|
|
|
|
:since:`since 2.1.0` ). The only currently defined value of ``type`` is
|
|
|
|
``volume``. The ``uuid`` is "uuid" of the ``secret`` while ``usage`` is the
|
|
|
|
"usage" subelement field. A secret value can be set in libvirt by the
|
|
|
|
`virSecretSetValue <html/libvirt-libvirt-secret.html#virSecretSetValue>`__ API.
|
|
|
|
Alternatively, if supported by the particular volume format and driver,
|
|
|
|
automatically generate a secret value at the time of volume creation, and store
|
|
|
|
it using the specified ``uuid``.
|
|
|
|
|
2022-03-15 13:09:24 +00:00
|
|
|
``qcow`` format
|
|
|
|
~~~~~~~~~~~~~~~
|
2022-03-10 16:57:54 +00:00
|
|
|
|
|
|
|
:since:`Since 4.5.0,` encryption formats ``default`` and ``qcow`` may no longer
|
|
|
|
be used to create an encrypted volume. Usage of qcow encrypted volumes in QEMU
|
|
|
|
began phasing out in QEMU 2.3 and by QEMU 2.9 creation of a qcow encrypted
|
|
|
|
volume via qemu-img required usage of secret objects, but that support was not
|
|
|
|
added to libvirt.
|
|
|
|
|
2022-03-15 13:09:24 +00:00
|
|
|
``luks`` format
|
|
|
|
~~~~~~~~~~~~~~~
|
2022-03-10 16:57:54 +00:00
|
|
|
|
|
|
|
The ``luks`` format is specific to a luks encrypted volume and the secret is
|
|
|
|
used in order to either encrypt during volume creation or decrypt the volume for
|
|
|
|
usage by the domain. A single ``<secret type='passphrase'...>`` element is
|
2023-03-13 09:50:21 +00:00
|
|
|
expected (except for the case of RBD layered encryption mentioned above).
|
|
|
|
:since:`Since 2.1.0` .
|
2022-03-10 16:57:54 +00:00
|
|
|
|
|
|
|
For volume creation, it is possible to specify the encryption algorithm used to
|
|
|
|
encrypt the luks volume. The following two optional elements may be provided for
|
|
|
|
that purpose. It is hypervisor dependent as to which algorithms are supported.
|
|
|
|
The default algorithm used by the storage driver backend when using qemu-img to
|
|
|
|
create the volume is 'aes-256-cbc' using 'essiv' for initialization vector
|
|
|
|
generation and 'sha256' hash algorithm for both the cipher and the
|
|
|
|
initialization vector generation.
|
|
|
|
|
|
|
|
``cipher``
|
|
|
|
This element describes the cipher algorithm to be used to either encrypt or
|
|
|
|
decrypt the luks volume. This element has the following attributes:
|
|
|
|
|
|
|
|
``name``
|
|
|
|
The name of the cipher algorithm used for data encryption, such as 'aes',
|
|
|
|
'des', 'cast5', 'serpent', 'twofish', etc. Support of the specific
|
|
|
|
algorithm is storage driver implementation dependent.
|
|
|
|
``size``
|
|
|
|
The size of the cipher in bits, such as '256', '192', '128', etc. Support
|
|
|
|
of the specific size for a specific cipher is hypervisor dependent.
|
|
|
|
``mode``
|
|
|
|
An optional cipher algorithm mode such as 'cbc', 'xts', 'ecb', etc.
|
|
|
|
Support of the specific cipher mode is hypervisor dependent.
|
|
|
|
``hash``
|
|
|
|
An optional master key hash algorithm such as 'md5', 'sha1', 'sha256',
|
|
|
|
etc. Support of the specific hash algorithm is hypervisor dependent.
|
|
|
|
``ivgen``
|
|
|
|
This optional element describes the initialization vector generation
|
|
|
|
algorithm used in conjunction with the ``cipher``. If the ``cipher`` is not
|
|
|
|
provided, then an error will be generated by the parser.
|
|
|
|
|
|
|
|
``name``
|
|
|
|
The name of the algorithm, such as 'plain', 'plain64', 'essiv', etc.
|
|
|
|
Support of the specific algorithm is hypervisor dependent.
|
|
|
|
``hash``
|
|
|
|
An optional hash algorithm such as 'md5', 'sha1', 'sha256', etc. Support
|
|
|
|
of the specific ivgen hash algorithm is hypervisor dependent.
|
|
|
|
|
2022-03-15 13:09:24 +00:00
|
|
|
``luks2`` format
|
|
|
|
~~~~~~~~~~~~~~~~
|
2022-03-10 16:57:54 +00:00
|
|
|
|
|
|
|
The ``luks2`` format is currently supported only by the ``librbd`` engine, and
|
|
|
|
can only be applied to RBD network disks (RBD images). Since the ``librbd``
|
|
|
|
engine is currently not supported by the libvirt storage driver, you cannot use
|
|
|
|
it to control such disks. However, pre-formatted RBD luks2 disks can be loaded
|
|
|
|
to a qemu VM using the qemu VM driver. A single
|
2023-03-13 09:50:21 +00:00
|
|
|
``<secret type='passphrase'...>`` element is expected (except for the case of
|
|
|
|
RBD layered encryption mentioned above).
|
2022-03-10 16:57:54 +00:00
|
|
|
|
2023-03-13 09:50:23 +00:00
|
|
|
``luks-any`` format
|
|
|
|
~~~~~~~~~~~~~~~~~~~
|
|
|
|
|
|
|
|
The ``luks-any`` format is currently supported only by the ``librbd`` engine,
|
|
|
|
and can only be applied to RBD network disks (RBD images). This format will try
|
|
|
|
to parse the disk as either LUKS or LUKS2, depending on the actual on-disk
|
|
|
|
format. A single ``<secret type='passphrase'...>`` element is expected (except
|
|
|
|
for the case of RBD layered encryption mentioned above) :since:`Since 9.3.0` .
|
|
|
|
|
2022-03-10 16:57:54 +00:00
|
|
|
Examples
|
|
|
|
--------
|
|
|
|
|
2022-05-31 14:00:37 +00:00
|
|
|
Assuming a `luks volume type secret <formatsecret.html#usage-type-volume>`__ is
|
2022-03-10 16:57:54 +00:00
|
|
|
already defined, a simple example specifying use of the ``luks`` format for
|
|
|
|
either volume creation without a specific cipher being defined or as part of a
|
|
|
|
domain volume definition:
|
|
|
|
|
|
|
|
::
|
|
|
|
|
|
|
|
<encryption format='luks'>
|
|
|
|
<secret type='passphrase' uuid='f52a81b2-424e-490c-823d-6bd4235bc572'/>
|
|
|
|
</encryption>
|
|
|
|
|
|
|
|
Here is an example specifying use of the ``luks`` format for a specific cipher
|
|
|
|
algorithm for volume creation. :since:`Since 6.10.0,` the ``target`` format can
|
|
|
|
also support ``qcow2`` type with ``luks`` encryption.
|
|
|
|
|
|
|
|
::
|
|
|
|
|
|
|
|
<volume>
|
|
|
|
<name>twofish.luks</name>
|
|
|
|
<capacity unit='G'>5</capacity>
|
|
|
|
<target>
|
|
|
|
<path>/var/lib/libvirt/images/demo.luks</path>
|
|
|
|
<format type='raw'/>
|
|
|
|
<encryption format='luks'>
|
|
|
|
<secret type='passphrase' uuid='f52a81b2-424e-490c-823d-6bd4235bc572'/>
|
|
|
|
<cipher name='twofish' size='256' mode='cbc' hash='sha256'/>
|
|
|
|
<ivgen name='plain64' hash='sha256'/>
|
|
|
|
</encryption>
|
|
|
|
</target>
|
|
|
|
</volume>
|